I manage several hundred Firewalls that use a shared policy via CSM, and I have the need to add new group-objects to several object-groups. I know that I could go through CSM and manually add the required group-objects to each object-group, but I would like to add them all at once via a CLI import or policy object import script. The issue I'm running into is that CSM does not seem to allow this.
When I attempt to update network object-groups via CLI import, CSM just creates a new object-group with _1 tacked onto the end. For example, if I have an object-group named "Test" that contains the object "Host1" and I run the following CLI lines under Tools > Import Rules from CSM:
object-group network Test
Instead of adding Host2 to the Test object-group (which it would if I were running the lines on a single firewall CLI), CSM creates a second object-group named Test_1 that only contains the Host2 object. This doesn't help me because I already have rules in the shared policy that specifically reference the "Test" object-group, and I don't want/need to tack on additional object-groups to the existing rule.
It doesn't seem possible to update an object-group via CSV import either, since the perl script will fail if it detects an import with the same group name as an existing object-group.
Is there any way to add additional group-objects to existing object-groups in CSM other than manually adding each one by right-clicking the object-group and choosing "Edit Object"?
BenefitsDocumentationPrerequisiteImage Download LinksLimitationsSupported PlatformsLicense RequirementsTopologyStep-By-Step ConfigurationConfigure Virtual ServiceActivate the virtual service and configure guest IPsConfiguring UTD (Service Plane)Configurin...
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...